MSFT_MpWDOScan

Windows Defender Offline Scan Class

Methods

Properties

MSFT_MpWDOScan returns no properties.

Examples

Get-CimInstance -ClassName MSFT_MpWDOScan -Namespace root/microsoft/windows/defender

Get-CimInstance -ClassName MSFT_MpWDOScan -Namespace root/microsoft/windows/defender -Property *

Get-CimInstance -ClassName MSFT_MpWDOScan -Namespace root/microsoft/windows/defender -KeyOnly

Selecting Properties

To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.

Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.

$properties = 
Get-CimInstance -ClassName MSFT_MpWDOScan -Namespace root/microsoft/windows/defender | Select-Object -Property $properties

Get-CimInstance -Class MSFT_MpWDOScan -Namespace root/microsoft/windows/defender -Property $property | 
Select-Object -Property $property

Selecting Instances

To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).

The parameter -Filter runs a simple query.

Get-CimInstance -Class MSFT_MpWDOScan -Namespace root/microsoft/windows/defender -Filter 'Caption LIKE "a%"' 

Get-CimInstance -Query "SELECT  FROM MSFT_MpWDOScan WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender

Accessing Remote Computers

To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with your current identity:
$result = Get-CimInstance -ClassName MSFT_MpWDOScan -Namespace root/microsoft/windows/defender -ComputerName $list 
$result

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred

$result = Get-CimInstance MSFT_MpWDOScan -Namespace root/microsoft/windows/defender -CimSession $session

# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session

$result

Learn more about accessing remote computers.

Requirements

To use MSFT_MpWDOScan, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

MSFT_MpWDOScan was introduced on clients with Windows 10 [desktop apps only] and on servers with Windows Server 2016.

Namespace

MSFT_MpWDOScan lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..

Implementation

MSFT_MpWDOScan is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof